Model | Implementation | Defect Management
The Defect Management (DM) practice focuses on collecting, recording, and analyzing software security defects and enriching them with information to drive metrics-based decisions.
The practice’s first stream deals with the process of handling and managing defects to ensure released software has a given assurance level. The second stream focuses on enriching the information about the defects and deriving metrics to guide decisions about the security of individual projects and of the security assurance program as a whole.
In a sophisticated form, the practice requires formalised, independent defect management and real-time, correlated information to detect trends and influence security strategy.
| Maturity level | Stream ADefect Tracking | Stream BMetrics and Feedback | |
|---|---|---|---|
| 1 | All defects are tracked within each project. | Introduce a structured tracking of security defects and make knowledgeable decisions based on this information. | Regularly go over previously recorded security defects and derive quick wins from basic metrics. |
| 2 | Defect tracking used to influence the deployment process. | Rate all security defects over the whole organization consistently and define SLAs for particular severity classes. | Collect standardized defect management metrics and use these also for prioritization of centrally driven initiatives. |
| 3 | Defect tracking across multiple components is used to help reduce the number of new defects. | Enforce the predefined SLAs and integrate your defect management system with other relevant tooling. | Continuously improve your security defect management metrics and correlate it with other sources. |